agent-passport-system 2.7.0 → 2.8.0

package/dist/src/v2/regulated-action/types.d.ts

@@ -0,0 +1,142 @@
+export declare const REGULATED_ACTION_PROFILE: "aps-regulated-action-v0";
+export declare const ACTION_CLASS_RANK: {
+    readonly read: 0;
+    readonly internal_write: 1;
+    readonly external_message: 2;
+    readonly financial_movement: 3;
+    readonly regulated_decision: 4;
+    readonly irreversible_action: 5;
+};
+export type ActionClass = keyof typeof ACTION_CLASS_RANK;
+export declare const RAPV0_TAG: {
+    readonly actor: "APS-RAPV0-ACTOR";
+    readonly intent: "APS-RAPV0-INTENT";
+    readonly policy: "APS-RAPV0-POLICY";
+    readonly resource: "APS-RAPV0-RESOURCE-CONFIRMATION";
+    readonly authority: "APS-RAPV0-AUTHORITY";
+    readonly lifecycle: "APS-RAPV0-LIFECYCLE";
+};
+export interface SignatureBlock {
+    alg: string;
+    key_id: string;
+    sig: string;
+}
+export interface AuthorityRef {
+    type: 'id_jag' | 'ema';
+    issuer: string;
+    subject: string;
+    audience: string;
+    scope_hash: string;
+    issued_at: string;
+    expires_at: string;
+    assertion_hash: string;
+    jti: string;
+    assertion_sig: string;
+}
+export interface IntentCommitment {
+    created_before_execution: true;
+    intent_hash: string;
+    expected_effect_hash: string;
+    gateway_nonce: string;
+    timestamp_ms: number;
+    scope: string;
+    signature: string;
+}
+export type DecisionBasisLeaf = 'input_artifact_hashes' | 'policy_version_hash' | 'tool_call_refs' | 'risk_flags' | 'approval_state' | 'model_runtime_context_summary_hash' | 'uncertainty_band' | 'resource_correlation_ref';
+export interface DecisionBasisCommitment {
+    root_hash: string;
+    leaves_schema: DecisionBasisLeaf[];
+    raw_chain_of_thought_included: false;
+}
+export interface GatewayPolicyDecision {
+    policy_version_hash: string;
+    decision: 'allow' | 'deny' | 'hold';
+    action_class_assigned: ActionClass;
+    signer: string;
+    signature: string;
+}
+export type ResourceConfirmationType = 'native_resource_signed' | 'boundary_attested' | 'boundary_attested_weak' | 'channel_authenticated' | 'manual_reconciliation' | 'missing';
+export type RealizedEffectProvenance = 'ban_derived' | 'echoed';
+export interface ResourceConfirmationRef {
+    type: ResourceConfirmationType;
+    resource_transaction_id: string;
+    correlation_id: string;
+    gateway_nonce_echo: string;
+    realized_effect_hash: string;
+    realized_effect_provenance: RealizedEffectProvenance;
+    status: string;
+    timestamp_ms: number;
+    signer_key_id: string;
+    signature: string;
+}
+export interface TransparencyRef {
+    type: 'scitt' | 'enterprise_merkle_log';
+    log_id: string;
+    inclusion_proof: InclusionStep[];
+    anchored_at_state: string;
+    tree_size: number;
+    leaf_hash: string;
+}
+export interface InclusionStep {
+    dir: 'L' | 'R';
+    hash: string;
+}
+export interface RegulatedActionReceiptV0 {
+    profile: typeof REGULATED_ACTION_PROFILE;
+    receipt_id: string;
+    action_class: ActionClass;
+    actor_signature: SignatureBlock;
+    aps_delegation_ref?: string;
+    authority_ref?: AuthorityRef;
+    intent_commitment?: IntentCommitment;
+    decision_basis_commitment?: DecisionBasisCommitment;
+    gateway_policy_decision?: GatewayPolicyDecision;
+    resource_confirmation_ref?: ResourceConfirmationRef;
+    transparency_ref?: TransparencyRef;
+}
+export interface RegisteredResourceKey {
+    publicKey: string;
+    registered_by_operator: boolean;
+}
+export interface VerificationContext {
+    idp_keyset: Record<string, string>;
+    operator_anchored_idp_copy?: Record<string, string>;
+    registered_resource_keys: Record<string, RegisteredResourceKey>;
+    operator_domain_registry: Record<string, {
+        publicKey: string;
+        identity: string;
+    }>;
+    operator_identity_id: string;
+    gateway_key_id?: string;
+    registered_log_roots: Record<string, string>;
+    allowed_clock_skew_ms?: number;
+    reserved_ts: number;
+    submitted_ts: number;
+    max_authority_execution_window_ms: number;
+    per_class_required_fields?: Partial<Record<ActionClass, string[]>>;
+    completeness_match?: boolean;
+    anchor_orders_intent_before_resource?: boolean;
+    non_equivocation_ok?: boolean;
+}
+export type Disposition = 'void' | 'void_policy_violation' | 'void_temporal_violation' | 'void_reconciliation_mismatch' | 'resource_unbound' | 'authority_invalid' | 'self_attested' | 'regulator_grade_for_class' | 'reconciled' | 'intent_precommitted' | 'authority_bound' | 'incomplete_for_class';
+export type IncompleteReason = 'policy_denied_no_execution' | 'missing_authority' | 'missing_transparency_anchor' | 'execution_unconfirmed';
+export type AuthorityBasis = 'external_idp' | 'operator_anchored_copy_weak';
+export interface TrustDomainSeparation {
+    computed_domains: number;
+    idp_counts: boolean;
+    resource_counts: boolean;
+    operator_identity: string;
+    separation_ok: boolean;
+}
+export interface RegulatedVerifyResult {
+    profile: typeof REGULATED_ACTION_PROFILE;
+    disposition: Disposition;
+    incomplete_reason?: IncompleteReason;
+    violations: Disposition[];
+    missing_evidence: string[];
+    trust_domain_separation: TrustDomainSeparation;
+    authority_basis?: AuthorityBasis;
+    authority_replay: 'not_evaluated' | 'pass' | 'fail';
+    judgment_correctness: 'not_claimed';
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/v2/regulated-action/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/v2/regulated-action/types.ts"],"names":[],"mappings":"AAaA,eAAO,MAAM,wBAAwB,EAAG,yBAAkC,CAAA;AAI1E,eAAO,MAAM,iBAAiB;;;;;;;CAOpB,CAAA;AACV,MAAM,MAAM,WAAW,GAAG,MAAM,OAAO,iBAAiB,CAAA;AAIxD,eAAO,MAAM,SAAS;;;;;;;CAOZ,CAAA;AAEV,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,GAAG,EAAE,MAAM,CAAA;CACZ;AAKD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,QAAQ,GAAG,KAAK,CAAA;IACtB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,cAAc,EAAE,MAAM,CAAA;IACtB,GAAG,EAAE,MAAM,CAAA;IAKX,aAAa,EAAE,MAAM,CAAA;CACtB;AAID,MAAM,WAAW,gBAAgB;IAC/B,wBAAwB,EAAE,IAAI,CAAA;IAC9B,WAAW,EAAE,MAAM,CAAA;IACnB,oBAAoB,EAAE,MAAM,CAAA;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;CAClB;AAKD,MAAM,MAAM,iBAAiB,GACzB,uBAAuB,GACvB,qBAAqB,GACrB,gBAAgB,GAChB,YAAY,GACZ,gBAAgB,GAChB,oCAAoC,GACpC,kBAAkB,GAClB,0BAA0B,CAAA;AAE9B,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,iBAAiB,EAAE,CAAA;IAClC,6BAA6B,EAAE,KAAK,CAAA;CACrC;AAED,MAAM,WAAW,qBAAqB;IACpC,mBAAmB,EAAE,MAAM,CAAA;IAC3B,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAA;IACnC,qBAAqB,EAAE,WAAW,CAAA;IAClC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,MAAM,wBAAwB,GAChC,wBAAwB,GACxB,mBAAmB,GACnB,wBAAwB,GACxB,uBAAuB,GACvB,uBAAuB,GACvB,SAAS,CAAA;AAEb,MAAM,MAAM,wBAAwB,GAAG,aAAa,GAAG,QAAQ,CAAA;AAK/D,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,wBAAwB,CAAA;IAC9B,uBAAuB,EAAE,MAAM,CAAA;IAC/B,cAAc,EAAE,MAAM,CAAA;IACtB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,oBAAoB,EAAE,MAAM,CAAA;IAC5B,0BAA0B,EAAE,wBAAwB,CAAA;IACpD,MAAM,EAAE,MAAM,CAAA;IACd,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,CAAA;IACrB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,OAAO,GAAG,uBAAuB,CAAA;IACvC,MAAM,EAAE,MAAM,CAAA;IACd,eAAe,EAAE,aAAa,EAAE,CAAA;IAChC,iBAAiB,EAAE,MAAM,CAAA;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,GAAG,GAAG,GAAG,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,wBAAwB,CAAA;IACxC,UAAU,EAAE,MAAM,CAAA;IAClB,YAAY,EAAE,WAAW,CAAA;IACzB,eAAe,EAAE,cAAc,CAAA;IAC/B,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,aAAa,CAAC,EAAE,YAAY,CAAA;IAC5B,iBAAiB,CAAC,EAAE,gBAAgB,CAAA;IACpC,yBAAyB,CAAC,EAAE,uBAAuB,CAAA;IACnD,uBAAuB,CAAC,EAAE,qBAAqB,CAAA;IAC/C,yBAAyB,CAAC,EAAE,uBAAuB,CAAA;IACnD,gBAAgB,CAAC,EAAE,eAAe,CAAA;CAGnC;AAID,MAAM,WAAW,qBAAqB;IACpC,SAAS,EAAE,MAAM,CAAA;IAGjB,sBAAsB,EAAE,OAAO,CAAA;CAChC;AAED,MAAM,WAAW,mBAAmB;IAGlC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAGlC,0BAA0B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAEnD,wBAAwB,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAA;IAI/D,wBAAwB,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACjF,oBAAoB,EAAE,MAAM,CAAA;IAI5B,cAAc,CAAC,EAAE,MAAM,CAAA;IAEvB,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAK5C,qBAAqB,CAAC,EAAE,MAAM,CAAA;IAE9B,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,iCAAiC,EAAE,MAAM,CAAA;IAEzC,yBAAyB,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;IAGlE,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAG5B,oCAAoC,CAAC,EAAE,OAAO,CAAA;IAI9C,mBAAmB,CAAC,EAAE,OAAO,CAAA;CAC9B;AAGD,MAAM,MAAM,WAAW,GACnB,MAAM,GACN,uBAAuB,GACvB,yBAAyB,GACzB,8BAA8B,GAC9B,kBAAkB,GAClB,mBAAmB,GACnB,eAAe,GACf,2BAA2B,GAC3B,YAAY,GACZ,qBAAqB,GACrB,iBAAiB,GACjB,sBAAsB,CAAA;AAE1B,MAAM,MAAM,gBAAgB,GACxB,4BAA4B,GAC5B,mBAAmB,GACnB,6BAA6B,GAC7B,uBAAuB,CAAA;AAE3B,MAAM,MAAM,cAAc,GAAG,cAAc,GAAG,6BAA6B,CAAA;AAE3E,MAAM,WAAW,qBAAqB;IACpC,gBAAgB,EAAE,MAAM,CAAA;IACxB,UAAU,EAAE,OAAO,CAAA;IACnB,eAAe,EAAE,OAAO,CAAA;IACxB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,OAAO,CAAA;CACvB;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,wBAAwB,CAAA;IACxC,WAAW,EAAE,WAAW,CAAA;IACxB,iBAAiB,CAAC,EAAE,gBAAgB,CAAA;IAGpC,UAAU,EAAE,WAAW,EAAE,CAAA;IACzB,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,uBAAuB,EAAE,qBAAqB,CAAA;IAC9C,eAAe,CAAC,EAAE,cAAc,CAAA;IAGhC,gBAAgB,EAAE,eAAe,GAAG,MAAM,GAAG,MAAM,CAAA;IAEnD,oBAAoB,EAAE,aAAa,CAAA;CACpC"}

package/dist/src/v2/regulated-action/types.js

@@ -0,0 +1,34 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// APS Regulated Action Profile v0. Principle: Reconciled Action Attestation.
+//
+// Public primitive. Profile types per RAPV0-FROZEN-CONTRACT.md section A. A regulated
+// action (class rank >= 3) reaches finality only when a pre-committed intent reconciles
+// against two anchors OUTSIDE the operator trust domain: the IdP authority (EMA/ID-JAG)
+// and the resource system of record. The verifier counts trust DOMAINS, not signatures.
+//
+// This module ships the receipt shape, the VerificationContext, and the disposition
+// vocabulary. The deterministic verifier is in ./verify.ts. Product intelligence
+// (reconciliation engine, chokepoint, BAN, transparency service, completeness layer)
+// is NOT here; it is the private gateway. judgment_correctness is always not_claimed.
+export const REGULATED_ACTION_PROFILE = 'aps-regulated-action-v0';
+// Rank map. action_class is SET BY GATEWAY POLICY, never the agent. Compare via this
+// map, never enum order. Rank >= 3 is "regulated" for the finality gate.
+export const ACTION_CLASS_RANK = {
+    read: 0,
+    internal_write: 1,
+    external_message: 2,
+    financial_movement: 3,
+    regulated_decision: 4,
+    irreversible_action: 5,
+};
+// Domain-separation tags. Each signature signs a canonical subobject prefixed by its tag,
+// never the whole mutable receipt.
+export const RAPV0_TAG = {
+    actor: 'APS-RAPV0-ACTOR',
+    intent: 'APS-RAPV0-INTENT',
+    policy: 'APS-RAPV0-POLICY',
+    resource: 'APS-RAPV0-RESOURCE-CONFIRMATION',
+    authority: 'APS-RAPV0-AUTHORITY',
+    lifecycle: 'APS-RAPV0-LIFECYCLE',
+};
+//# sourceMappingURL=types.js.map

package/dist/src/v2/regulated-action/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/v2/regulated-action/types.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,6EAA6E;AAC7E,EAAE;AACF,sFAAsF;AACtF,wFAAwF;AACxF,wFAAwF;AACxF,wFAAwF;AACxF,EAAE;AACF,oFAAoF;AACpF,iFAAiF;AACjF,qFAAqF;AACrF,sFAAsF;AAEtF,MAAM,CAAC,MAAM,wBAAwB,GAAG,yBAAkC,CAAA;AAE1E,qFAAqF;AACrF,yEAAyE;AACzE,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,IAAI,EAAE,CAAC;IACP,cAAc,EAAE,CAAC;IACjB,gBAAgB,EAAE,CAAC;IACnB,kBAAkB,EAAE,CAAC;IACrB,kBAAkB,EAAE,CAAC;IACrB,mBAAmB,EAAE,CAAC;CACd,CAAA;AAGV,0FAA0F;AAC1F,mCAAmC;AACnC,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB,KAAK,EAAE,iBAAiB;IACxB,MAAM,EAAE,kBAAkB;IAC1B,MAAM,EAAE,kBAAkB;IAC1B,QAAQ,EAAE,iCAAiC;IAC3C,SAAS,EAAE,qBAAqB;IAChC,SAAS,EAAE,qBAAqB;CACxB,CAAA"}

package/dist/src/v2/regulated-action/verify.d.ts

@@ -0,0 +1,10 @@
+import { ACTION_CLASS_RANK } from './types.js';
+import type { RegulatedActionReceiptV0, VerificationContext, RegulatedVerifyResult } from './types.js';
+/**
+ * Verify a RegulatedActionReceiptV0 against a VerificationContext. Returns the disposition,
+ * every terminal condition that held (violations[]), missing evidence, the computed
+ * trust-domain separation, the authority basis, and judgment_correctness: not_claimed.
+ */
+export declare function verifyRegulatedAction(receipt: RegulatedActionReceiptV0, ctx: VerificationContext): RegulatedVerifyResult;
+export declare function actionClassRank(c: keyof typeof ACTION_CLASS_RANK): number;
+//# sourceMappingURL=verify.d.ts.map

package/dist/src/v2/regulated-action/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../../../src/v2/regulated-action/verify.ts"],"names":[],"mappings":"AAYA,OAAO,EAGL,iBAAiB,EAClB,MAAM,YAAY,CAAA;AACnB,OAAO,KAAK,EACV,wBAAwB,EACxB,mBAAmB,EACnB,qBAAqB,EAItB,MAAM,YAAY,CAAA;AAsBnB;;;;GAIG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,wBAAwB,EACjC,GAAG,EAAE,mBAAmB,GACvB,qBAAqB,CA2NvB;AAGD,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,OAAO,iBAAiB,GAAG,MAAM,CAEzE"}

package/dist/src/v2/regulated-action/verify.js

@@ -0,0 +1,252 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// APS Regulated Action Profile v0: the deterministic disposition verifier (A2).
+//
+// This is the canonical truth-table from RAPV0-FROZEN-CONTRACT.md section B (amended order).
+// It is total, deterministic from explicit inputs, most-dangerous-first, first match wins.
+// It is STATELESS and PURE: no network, no wall-clock read, no replay state. Every input
+// comes from the caller via VerificationContext. Replay/jti/nonce uniqueness is reported as
+// authority_replay: not_evaluated and is computed by the PRIVATE gateway, never here.
+// judgment_correctness is always not_claimed: we never certify a discretionary judgment.
+import { canonicalizeJCS, canonicalHashJCS } from '../../core/canonical-jcs.js';
+import { verify as edVerify } from '../../crypto/keys.js';
+import { REGULATED_ACTION_PROFILE, RAPV0_TAG, ACTION_CLASS_RANK, } from './types.js';
+const RESOURCE_VALID_TYPES = new Set(['native_resource_signed', 'boundary_attested']);
+const RESOURCE_VALID_STATUS = new Set(['accepted', 'settled']);
+function sigOk(payload, sig, pubkey) {
+    if (!sig || !pubkey)
+        return false;
+    try {
+        return edVerify(payload, sig, pubkey);
+    }
+    catch {
+        return false;
+    }
+}
+// Canonical signed payload for a domain-separated subobject: tag, then strict JCS of the
+// subobject with its own signature field removed.
+function signedPayload(tag, subobject, sigField) {
+    const copy = { ...subobject };
+    delete copy[sigField];
+    return `${tag}.${canonicalizeJCS(copy)}`;
+}
+/**
+ * Verify a RegulatedActionReceiptV0 against a VerificationContext. Returns the disposition,
+ * every terminal condition that held (violations[]), missing evidence, the computed
+ * trust-domain separation, the authority basis, and judgment_correctness: not_claimed.
+ */
+export function verifyRegulatedAction(receipt, ctx) {
+    const missing = [];
+    // ── crypto_ok: operator-domain and resource-domain sigs only (NOT the authority sig). ──
+    const opReg = ctx.operator_domain_registry || {};
+    const actorKey = opReg[receipt.actor_signature?.key_id]?.publicKey;
+    let cryptoOk = sigOk(signedPayload(RAPV0_TAG.actor, { profile: receipt.profile, receipt_id: receipt.receipt_id, action_class: receipt.action_class, key_id: receipt.actor_signature?.key_id }, 'sig'), receipt.actor_signature?.sig, actorKey);
+    const intentPresent = !!receipt.intent_commitment;
+    if (intentPresent) {
+        const ic = receipt.intent_commitment;
+        const intentSignerId = receipt.gateway_policy_decision?.signer ?? ctx.gateway_key_id;
+        const intentKey = intentSignerId ? opReg[intentSignerId]?.publicKey : undefined;
+        const intentSigOk = sigOk(signedPayload(RAPV0_TAG.intent, ic, 'signature'), ic.signature, intentKey);
+        cryptoOk = cryptoOk && intentSigOk;
+    }
+    const policyPresent = !!receipt.gateway_policy_decision;
+    if (policyPresent) {
+        const pd = receipt.gateway_policy_decision;
+        const policyKey = opReg[pd.signer]?.publicKey;
+        const policySigOk = sigOk(signedPayload(RAPV0_TAG.policy, pd, 'signature'), pd.signature, policyKey);
+        cryptoOk = cryptoOk && policySigOk;
+    }
+    // crypto_ok covers ONLY the operator envelope (actor/intent/policy). It deliberately EXCLUDES
+    // the resource sig and the authority sig: a forged/unverifiable EXTERNAL resource confirmation
+    // must not void the operator's receipt, it must fail to establish the resource domain
+    // (resource_present_valid=false), dropping below reconciled. Only a tampered OPERATOR sig voids.
+    if (!cryptoOk)
+        missing.push('crypto');
+    // resource signature: evaluated for resource_present_valid / independence only.
+    const rc = receipt.resource_confirmation_ref;
+    let resourceSigVerifies = false;
+    let resourceKeyIndependent = false;
+    if (rc) {
+        const rk = ctx.registered_resource_keys?.[rc.signer_key_id];
+        resourceSigVerifies = sigOk(signedPayload(RAPV0_TAG.resource, rc, 'signature'), rc.signature, rk?.publicKey);
+        resourceKeyIndependent = !!rk && rk.registered_by_operator === false;
+    }
+    // ── authority trichotomy: ok / weak_basis / invalid ──
+    const ar = receipt.authority_ref;
+    const authorityPresent = !!ar;
+    let authorityOk = false;
+    let authorityWeakBasis = false;
+    let authorityInvalid = false;
+    let authorityBasis;
+    if (ar) {
+        const claims = { ...ar };
+        delete claims.assertion_sig;
+        const authPayload = `${RAPV0_TAG.authority}.${canonicalizeJCS(claims)}`;
+        const extVerifies = sigOk(authPayload, ar.assertion_sig, ctx.idp_keyset?.[ar.issuer]);
+        const opVerifies = sigOk(authPayload, ar.assertion_sig, ctx.operator_anchored_idp_copy?.[ar.issuer]);
+        const issuedMs = Date.parse(ar.issued_at);
+        const expiresMs = Date.parse(ar.expires_at);
+        const validAcross = Number.isFinite(issuedMs) && Number.isFinite(expiresMs) &&
+            issuedMs <= ctx.reserved_ts && expiresMs >= ctx.submitted_ts;
+        const withinWindow = ctx.submitted_ts - ctx.reserved_ts <= ctx.max_authority_execution_window_ms;
+        const freshnessOk = validAcross && withinWindow;
+        authorityOk = extVerifies && freshnessOk;
+        authorityWeakBasis = !authorityOk && !extVerifies && opVerifies && freshnessOk;
+        authorityInvalid = !authorityOk && !authorityWeakBasis;
+        authorityBasis = authorityOk ? 'external_idp' : authorityWeakBasis ? 'operator_anchored_copy_weak' : undefined;
+        if (authorityInvalid)
+            missing.push('authority');
+    }
+    else {
+        missing.push('authority');
+    }
+    // ── intent ──
+    let intentOk = false;
+    if (receipt.intent_commitment) {
+        const ic = receipt.intent_commitment;
+        const recomputed = canonicalHashJCS({
+            action_class: receipt.action_class,
+            scope: ic.scope,
+            authority_assertion_hash: ar?.assertion_hash ?? '',
+            decision_basis_root_hash: receipt.decision_basis_commitment?.root_hash ?? '',
+            expected_effect_hash: ic.expected_effect_hash,
+        });
+        intentOk = ic.created_before_execution === true && recomputed === ic.intent_hash;
+    }
+    // ── policy ──
+    const pd = receipt.gateway_policy_decision;
+    const policyAllow = !!pd && pd.decision === 'allow' && pd.action_class_assigned === receipt.action_class;
+    const policyDeny = !!pd && (pd.decision === 'deny' || pd.decision === 'hold');
+    // ── resource ──
+    const resourcePresentValid = !!rc &&
+        RESOURCE_VALID_TYPES.has(rc.type) &&
+        rc.realized_effect_provenance === 'ban_derived' &&
+        resourceSigVerifies &&
+        resourceKeyIndependent &&
+        RESOURCE_VALID_STATUS.has(rc.status);
+    const resourceMatches = intentOk && !!rc && !!receipt.intent_commitment &&
+        rc.gateway_nonce_echo === receipt.intent_commitment.gateway_nonce &&
+        rc.realized_effect_hash === receipt.intent_commitment.expected_effect_hash;
+    const resourceOk = resourcePresentValid && resourceMatches;
+    const executed = resourcePresentValid || ctx.completeness_match === true;
+    // ── transparency anchor ──
+    let anchorPresent = false;
+    if (receipt.transparency_ref) {
+        const tr = receipt.transparency_ref;
+        const root = ctx.registered_log_roots?.[tr.log_id];
+        let proofOk = false;
+        if (root) {
+            // Recompute the Merkle root from leaf_hash + inclusion_proof; compare to registered root.
+            let acc = tr.leaf_hash;
+            try {
+                for (const step of tr.inclusion_proof) {
+                    acc = step.dir === 'L' ? canonicalHashJCS({ l: step.hash, r: acc }) : canonicalHashJCS({ l: acc, r: step.hash });
+                }
+                proofOk = acc === root;
+            }
+            catch {
+                proofOk = false;
+            }
+        }
+        anchorPresent = proofOk && tr.anchored_at_state === 'reserved';
+    }
+    if (!anchorPresent)
+        missing.push('transparency_anchor');
+    const temporalViolation = anchorPresent && ctx.anchor_orders_intent_before_resource === false;
+    const temporalConsistent = anchorPresent && ctx.anchor_orders_intent_before_resource === true;
+    const noneqOk = anchorPresent && ctx.non_equivocation_ok !== false;
+    // ── domains and separation ──
+    const idpCounts = authorityOk;
+    const resourceCounts = resourceOk && resourceKeyIndependent;
+    const domains = (idpCounts ? 1 : 0) + (resourceCounts ? 1 : 0);
+    const operatorKeyIds = [];
+    if (receipt.actor_signature?.key_id)
+        operatorKeyIds.push(receipt.actor_signature.key_id);
+    if (pd?.signer)
+        operatorKeyIds.push(pd.signer);
+    if (receipt.intent_commitment) {
+        const intentSignerId = pd?.signer ?? ctx.gateway_key_id;
+        if (intentSignerId)
+            operatorKeyIds.push(intentSignerId);
+    }
+    const separationOk = operatorKeyIds.every((kid) => opReg[kid]?.identity === ctx.operator_identity_id);
+    // ── per-class required fields (regulator_grade tier) ──
+    // regulator_grade_for_class is an opt-in STRICTER tier: reachable only when the caller
+    // supplies a per-class bar (non-empty) AND every required field is present. Without a defined
+    // bar for the class, the strongest honest claim is reconciled, never regulator_grade.
+    const requiredFields = ctx.per_class_required_fields?.[receipt.action_class] ?? [];
+    const perClassOk = requiredFields.length > 0 &&
+        requiredFields.every((f) => receipt[f] !== undefined);
+    // ── terminal-condition flags (guards 1-7), most-dangerous-first ──
+    const terminal = [
+        [!cryptoOk, 'void'],
+        [policyDeny && executed, 'void_policy_violation'],
+        [resourcePresentValid && intentPresent && temporalViolation, 'void_temporal_violation'],
+        [resourcePresentValid && intentOk && !resourceMatches, 'void_reconciliation_mismatch'],
+        [resourcePresentValid && !intentOk, 'resource_unbound'],
+        [authorityInvalid, 'authority_invalid'],
+        [!authorityPresent && !resourcePresentValid, 'self_attested'],
+    ];
+    const violations = terminal.filter(([held]) => held).map(([, d]) => d);
+    // ── first match wins ──
+    let disposition;
+    let incompleteReason;
+    const firstTerminal = terminal.find(([held]) => held);
+    if (firstTerminal) {
+        disposition = firstTerminal[1];
+    }
+    else if (authorityOk && intentOk && policyAllow && resourceOk && domains >= 2 &&
+        temporalConsistent && noneqOk && perClassOk && separationOk) {
+        disposition = 'regulator_grade_for_class';
+    }
+    else if (authorityOk && intentOk && policyAllow && resourceOk && domains >= 2 && temporalConsistent) {
+        disposition = 'reconciled';
+    }
+    else if (authorityOk && intentOk && policyAllow && !resourceOk) {
+        disposition = 'intent_precommitted';
+    }
+    else if (authorityOk && !intentOk) {
+        disposition = 'authority_bound';
+    }
+    else {
+        disposition = 'incomplete_for_class';
+        // deterministic reason precedence (AP-6)
+        if (policyDeny)
+            incompleteReason = 'policy_denied_no_execution';
+        else if (!authorityOk)
+            incompleteReason = 'missing_authority';
+        else if (!anchorPresent)
+            incompleteReason = 'missing_transparency_anchor';
+        else
+            incompleteReason = 'execution_unconfirmed';
+    }
+    // INVARIANT assertions (defense in depth; never reached if the table is correct).
+    if ((disposition === 'reconciled' || disposition === 'regulator_grade_for_class') &&
+        !(domains >= 2 && resourceOk && temporalConsistent)) {
+        throw new Error('RAPV0 invariant breach: reconciled/regulator_grade without domains>=2 AND resource_ok AND temporal_consistent');
+    }
+    const result = {
+        profile: REGULATED_ACTION_PROFILE,
+        disposition,
+        violations,
+        missing_evidence: missing,
+        trust_domain_separation: {
+            computed_domains: domains,
+            idp_counts: idpCounts,
+            resource_counts: resourceCounts,
+            operator_identity: ctx.operator_identity_id,
+            separation_ok: separationOk,
+        },
+        authority_replay: 'not_evaluated',
+        judgment_correctness: 'not_claimed',
+    };
+    if (incompleteReason)
+        result.incomplete_reason = incompleteReason;
+    if (authorityBasis)
+        result.authority_basis = authorityBasis;
+    return result;
+}
+// Convenience: rank lookup for callers gating on class >= 3 (regulated).
+export function actionClassRank(c) {
+    return ACTION_CLASS_RANK[c];
+}
+//# sourceMappingURL=verify.js.map

package/dist/src/v2/regulated-action/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../../../src/v2/regulated-action/verify.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,gFAAgF;AAChF,EAAE;AACF,6FAA6F;AAC7F,2FAA2F;AAC3F,yFAAyF;AACzF,4FAA4F;AAC5F,sFAAsF;AACtF,yFAAyF;AAEzF,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAA;AAC/E,OAAO,EAAE,MAAM,IAAI,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AACzD,OAAO,EACL,wBAAwB,EACxB,SAAS,EACT,iBAAiB,GAClB,MAAM,YAAY,CAAA;AAUnB,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,wBAAwB,EAAE,mBAAmB,CAAC,CAAC,CAAA;AACrF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAA;AAE9D,SAAS,KAAK,CAAC,OAAe,EAAE,GAAuB,EAAE,MAA0B;IACjF,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACjC,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,yFAAyF;AACzF,kDAAkD;AAClD,SAAS,aAAa,CAAC,GAAW,EAAE,SAAkC,EAAE,QAAgB;IACtF,MAAM,IAAI,GAA4B,EAAE,GAAG,SAAS,EAAE,CAAA;IACtD,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAA;IACrB,OAAO,GAAG,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAA;AAC1C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAAiC,EACjC,GAAwB;IAExB,MAAM,OAAO,GAAa,EAAE,CAAA;IAE5B,0FAA0F;IAC1F,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAA;IAChD,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,MAAM,CAAC,EAAE,SAAS,CAAA;IAClE,IAAI,QAAQ,GAAG,KAAK,CAClB,aAAa,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,eAAe,EAAE,MAAM,EAAE,EAAE,KAAK,CAAC,EAChL,OAAO,CAAC,eAAe,EAAE,GAAG,EAC5B,QAAQ,CACT,CAAA;IAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAA;IACjD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,EAAE,GAAG,OAAO,CAAC,iBAAkB,CAAA;QACrC,MAAM,cAAc,GAAG,OAAO,CAAC,uBAAuB,EAAE,MAAM,IAAI,GAAG,CAAC,cAAc,CAAA;QACpF,MAAM,SAAS,GAAG,cAAc,CAAC,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,SAAS,CAAA;QAC/E,MAAM,WAAW,GAAG,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,EAAwC,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;QAC1I,QAAQ,GAAG,QAAQ,IAAI,WAAW,CAAA;IACpC,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,uBAAuB,CAAA;IACvD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,EAAE,GAAG,OAAO,CAAC,uBAAwB,CAAA;QAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,SAAS,CAAA;QAC7C,MAAM,WAAW,GAAG,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,EAAwC,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;QAC1I,QAAQ,GAAG,QAAQ,IAAI,WAAW,CAAA;IACpC,CAAC;IAED,8FAA8F;IAC9F,+FAA+F;IAC/F,sFAAsF;IACtF,iGAAiG;IACjG,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IAErC,gFAAgF;IAChF,MAAM,EAAE,GAAG,OAAO,CAAC,yBAAyB,CAAA;IAC5C,IAAI,mBAAmB,GAAG,KAAK,CAAA;IAC/B,IAAI,sBAAsB,GAAG,KAAK,CAAA;IAClC,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,EAAE,GAAG,GAAG,CAAC,wBAAwB,EAAE,CAAC,EAAE,CAAC,aAAa,CAAC,CAAA;QAC3D,mBAAmB,GAAG,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAwC,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,EAAE,EAAE,SAAS,CAAC,CAAA;QAClJ,sBAAsB,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,sBAAsB,KAAK,KAAK,CAAA;IACtE,CAAC;IAED,wDAAwD;IACxD,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,CAAA;IAChC,MAAM,gBAAgB,GAAG,CAAC,CAAC,EAAE,CAAA;IAC7B,IAAI,WAAW,GAAG,KAAK,CAAA;IACvB,IAAI,kBAAkB,GAAG,KAAK,CAAA;IAC9B,IAAI,gBAAgB,GAAG,KAAK,CAAA;IAC5B,IAAI,cAA0C,CAAA;IAC9C,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,MAAM,GAAG,EAAE,GAAI,EAAyC,EAAE,CAAA;QAChE,OAAO,MAAM,CAAC,aAAa,CAAA;QAC3B,MAAM,WAAW,GAAG,GAAG,SAAS,CAAC,SAAS,IAAI,eAAe,CAAC,MAAM,CAAC,EAAE,CAAA;QACvE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC,aAAa,EAAE,GAAG,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;QACrF,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC,aAAa,EAAE,GAAG,CAAC,0BAA0B,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;QACpG,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,SAAS,CAAC,CAAA;QACzC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;QAC3C,MAAM,WAAW,GACf,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC;YACvD,QAAQ,IAAI,GAAG,CAAC,WAAW,IAAI,SAAS,IAAI,GAAG,CAAC,YAAY,CAAA;QAC9D,MAAM,YAAY,GAAG,GAAG,CAAC,YAAY,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,iCAAiC,CAAA;QAChG,MAAM,WAAW,GAAG,WAAW,IAAI,YAAY,CAAA;QAC/C,WAAW,GAAG,WAAW,IAAI,WAAW,CAAA;QACxC,kBAAkB,GAAG,CAAC,WAAW,IAAI,CAAC,WAAW,IAAI,UAAU,IAAI,WAAW,CAAA;QAC9E,gBAAgB,GAAG,CAAC,WAAW,IAAI,CAAC,kBAAkB,CAAA;QACtD,cAAc,GAAG,WAAW,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9G,IAAI,gBAAgB;YAAE,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAC3B,CAAC;IAED,eAAe;IACf,IAAI,QAAQ,GAAG,KAAK,CAAA;IACpB,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,MAAM,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAA;QACpC,MAAM,UAAU,GAAG,gBAAgB,CAAC;YAClC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,KAAK,EAAE,EAAE,CAAC,KAAK;YACf,wBAAwB,EAAE,EAAE,EAAE,cAAc,IAAI,EAAE;YAClD,wBAAwB,EAAE,OAAO,CAAC,yBAAyB,EAAE,SAAS,IAAI,EAAE;YAC5E,oBAAoB,EAAE,EAAE,CAAC,oBAAoB;SAC9C,CAAC,CAAA;QACF,QAAQ,GAAG,EAAE,CAAC,wBAAwB,KAAK,IAAI,IAAI,UAAU,KAAK,EAAE,CAAC,WAAW,CAAA;IAClF,CAAC;IAED,eAAe;IACf,MAAM,EAAE,GAAG,OAAO,CAAC,uBAAuB,CAAA;IAC1C,MAAM,WAAW,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,QAAQ,KAAK,OAAO,IAAI,EAAE,CAAC,qBAAqB,KAAK,OAAO,CAAC,YAAY,CAAA;IACxG,MAAM,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,EAAE,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAA;IAE7E,iBAAiB;IACjB,MAAM,oBAAoB,GACxB,CAAC,CAAC,EAAE;QACJ,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC;QACjC,EAAE,CAAC,0BAA0B,KAAK,aAAa;QAC/C,mBAAmB;QACnB,sBAAsB;QACtB,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,CAAA;IACtC,MAAM,eAAe,GACnB,QAAQ,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,iBAAiB;QAC/C,EAAE,CAAC,kBAAkB,KAAK,OAAO,CAAC,iBAAiB,CAAC,aAAa;QACjE,EAAE,CAAC,oBAAoB,KAAK,OAAO,CAAC,iBAAiB,CAAC,oBAAoB,CAAA;IAC5E,MAAM,UAAU,GAAG,oBAAoB,IAAI,eAAe,CAAA;IAC1D,MAAM,QAAQ,GAAG,oBAAoB,IAAI,GAAG,CAAC,kBAAkB,KAAK,IAAI,CAAA;IAExE,4BAA4B;IAC5B,IAAI,aAAa,GAAG,KAAK,CAAA;IACzB,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,OAAO,CAAC,gBAAgB,CAAA;QACnC,MAAM,IAAI,GAAG,GAAG,CAAC,oBAAoB,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAA;QAClD,IAAI,OAAO,GAAG,KAAK,CAAA;QACnB,IAAI,IAAI,EAAE,CAAC;YACT,0FAA0F;YAC1F,IAAI,GAAG,GAAG,EAAE,CAAC,SAAS,CAAA;YACtB,IAAI,CAAC;gBACH,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,eAAe,EAAE,CAAC;oBACtC,GAAG,GAAG,IAAI,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAA;gBAClH,CAAC;gBACD,OAAO,GAAG,GAAG,KAAK,IAAI,CAAA;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,GAAG,KAAK,CAAA;YACjB,CAAC;QACH,CAAC;QACD,aAAa,GAAG,OAAO,IAAI,EAAE,CAAC,iBAAiB,KAAK,UAAU,CAAA;IAChE,CAAC;IACD,IAAI,CAAC,aAAa;QAAE,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IAEvD,MAAM,iBAAiB,GAAG,aAAa,IAAI,GAAG,CAAC,oCAAoC,KAAK,KAAK,CAAA;IAC7F,MAAM,kBAAkB,GAAG,aAAa,IAAI,GAAG,CAAC,oCAAoC,KAAK,IAAI,CAAA;IAC7F,MAAM,OAAO,GAAG,aAAa,IAAI,GAAG,CAAC,mBAAmB,KAAK,KAAK,CAAA;IAElE,+BAA+B;IAC/B,MAAM,SAAS,GAAG,WAAW,CAAA;IAC7B,MAAM,cAAc,GAAG,UAAU,IAAI,sBAAsB,CAAA;IAC3D,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAE9D,MAAM,cAAc,GAAa,EAAE,CAAA;IACnC,IAAI,OAAO,CAAC,eAAe,EAAE,MAAM;QAAE,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,CAAA;IACxF,IAAI,EAAE,EAAE,MAAM;QAAE,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,CAAA;IAC9C,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,MAAM,cAAc,GAAG,EAAE,EAAE,MAAM,IAAI,GAAG,CAAC,cAAc,CAAA;QACvD,IAAI,cAAc;YAAE,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACzD,CAAC;IACD,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,QAAQ,KAAK,GAAG,CAAC,oBAAoB,CAAC,CAAA;IAErG,yDAAyD;IACzD,uFAAuF;IACvF,8FAA8F;IAC9F,sFAAsF;IACtF,MAAM,cAAc,GAAG,GAAG,CAAC,yBAAyB,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAA;IAClF,MAAM,UAAU,GACd,cAAc,CAAC,MAAM,GAAG,CAAC;QACzB,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,OAA8C,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAA;IAE/F,oEAAoE;IACpE,MAAM,QAAQ,GAAkC;QAC9C,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC;QACnB,CAAC,UAAU,IAAI,QAAQ,EAAE,uBAAuB,CAAC;QACjD,CAAC,oBAAoB,IAAI,aAAa,IAAI,iBAAiB,EAAE,yBAAyB,CAAC;QACvF,CAAC,oBAAoB,IAAI,QAAQ,IAAI,CAAC,eAAe,EAAE,8BAA8B,CAAC;QACtF,CAAC,oBAAoB,IAAI,CAAC,QAAQ,EAAE,kBAAkB,CAAC;QACvD,CAAC,gBAAgB,EAAE,mBAAmB,CAAC;QACvC,CAAC,CAAC,gBAAgB,IAAI,CAAC,oBAAoB,EAAE,eAAe,CAAC;KAC9D,CAAA;IACD,MAAM,UAAU,GAAkB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAA;IAErF,yBAAyB;IACzB,IAAI,WAAwB,CAAA;IAC5B,IAAI,gBAA8C,CAAA;IAClD,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAA;IACrD,IAAI,aAAa,EAAE,CAAC;QAClB,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IAChC,CAAC;SAAM,IACL,WAAW,IAAI,QAAQ,IAAI,WAAW,IAAI,UAAU,IAAI,OAAO,IAAI,CAAC;QACpE,kBAAkB,IAAI,OAAO,IAAI,UAAU,IAAI,YAAY,EAC3D,CAAC;QACD,WAAW,GAAG,2BAA2B,CAAA;IAC3C,CAAC;SAAM,IAAI,WAAW,IAAI,QAAQ,IAAI,WAAW,IAAI,UAAU,IAAI,OAAO,IAAI,CAAC,IAAI,kBAAkB,EAAE,CAAC;QACtG,WAAW,GAAG,YAAY,CAAA;IAC5B,CAAC;SAAM,IAAI,WAAW,IAAI,QAAQ,IAAI,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;QACjE,WAAW,GAAG,qBAAqB,CAAA;IACrC,CAAC;SAAM,IAAI,WAAW,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,WAAW,GAAG,iBAAiB,CAAA;IACjC,CAAC;SAAM,CAAC;QACN,WAAW,GAAG,sBAAsB,CAAA;QACpC,yCAAyC;QACzC,IAAI,UAAU;YAAE,gBAAgB,GAAG,4BAA4B,CAAA;aAC1D,IAAI,CAAC,WAAW;YAAE,gBAAgB,GAAG,mBAAmB,CAAA;aACxD,IAAI,CAAC,aAAa;YAAE,gBAAgB,GAAG,6BAA6B,CAAA;;YACpE,gBAAgB,GAAG,uBAAuB,CAAA;IACjD,CAAC;IAED,kFAAkF;IAClF,IAAI,CAAC,WAAW,KAAK,YAAY,IAAI,WAAW,KAAK,2BAA2B,CAAC;QAC7E,CAAC,CAAC,OAAO,IAAI,CAAC,IAAI,UAAU,IAAI,kBAAkB,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,+GAA+G,CAAC,CAAA;IAClI,CAAC;IAED,MAAM,MAAM,GAA0B;QACpC,OAAO,EAAE,wBAAwB;QACjC,WAAW;QACX,UAAU;QACV,gBAAgB,EAAE,OAAO;QACzB,uBAAuB,EAAE;YACvB,gBAAgB,EAAE,OAAO;YACzB,UAAU,EAAE,SAAS;YACrB,eAAe,EAAE,cAAc;YAC/B,iBAAiB,EAAE,GAAG,CAAC,oBAAoB;YAC3C,aAAa,EAAE,YAAY;SAC5B;QACD,gBAAgB,EAAE,eAAe;QACjC,oBAAoB,EAAE,aAAa;KACpC,CAAA;IACD,IAAI,gBAAgB;QAAE,MAAM,CAAC,iBAAiB,GAAG,gBAAgB,CAAA;IACjE,IAAI,cAAc;QAAE,MAAM,CAAC,eAAe,GAAG,cAAc,CAAA;IAC3D,OAAO,MAAM,CAAA;AACf,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,eAAe,CAAC,CAAiC;IAC/D,OAAO,iBAAiB,CAAC,CAAC,CAAC,CAAA;AAC7B,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "agent-passport-system",
-  "version": "2.7.0",
-  "description": "Enforcement and accountability layer for AI agents. Bring your own identity (did:key, did:web, SPIFFE, OAuth, did:aps). Verifier hot path p50 = 420ns bare-metal Linux EPYC 7313P (§13.1 canonical environment per spec), 347ns AWS c7i.2xlarge, 292ns Mac M3. Gateway enforcement, monotonic narrowing, cascade revocation, Bayesian reputation, wallet binding, unified four-axis attribution primitive, per-period attribution settlement, data lifecycle, mutual authentication, Wave 1 accountability primitives (action, authority-boundary, custody, contestability, bundle), evidentiary type safety (claim/evidence registry, claim verifier with forbidden-substitution detection, contestation cascade). 3,791 tests.",
+  "version": "2.8.0",
+  "description": "Enforcement and accountability layer for AI agents. Bring your own identity (did:key, did:web, SPIFFE, OAuth, did:aps). Verifier hot path p50 = 420ns bare-metal Linux EPYC 7313P (§13.1 canonical environment per spec), 347ns AWS c7i.2xlarge, 292ns Mac M3. Gateway enforcement, monotonic narrowing, cascade revocation, Bayesian reputation, wallet binding, unified four-axis attribution primitive, per-period attribution settlement, data lifecycle, mutual authentication, Wave 1 accountability primitives (action, authority-boundary, custody, contestability, bundle), evidentiary type safety (claim/evidence registry, claim verifier with forbidden-substitution detection, contestation cascade). 3,881 tests.",
   "type": "module",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
@@ -20,7 +20,7 @@
   },
   "scripts": {
     "build": "tsc && chmod +x dist/src/cli/index.js",
-    "test": "npx tsx --test tests/passport.test.ts tests/adversarial.ts tests/v2.0-integration.ts tests/contract.test.ts tests/agora.test.ts tests/values.test.ts tests/delegation.test.ts tests/attribution.test.ts tests/policy.test.ts tests/canonical.test.ts tests/coordination.test.ts tests/commerce.test.ts tests/enforcement.test.ts tests/routing.test.ts tests/did-vc.test.ts tests/a2a.test.ts tests/principal.test.ts tests/adversarial-paper.test.ts tests/property-delegation.test.ts tests/intent.test.ts tests/reputation-authority.test.ts tests/cross-chain.test.ts tests/encrypted-messaging.test.ts tests/obligations.test.ts tests/execution-envelope.test.ts tests/adversarial-causal-chain.test.ts tests/governance.test.ts tests/feasibility.test.ts tests/identity.test.ts tests/precedent.test.ts tests/reanchor.test.ts tests/escalation.test.ts tests/oracle-witness.test.ts tests/messaging-audit.test.ts tests/policy-conflict.test.ts tests/data-source.test.ts tests/decision-semantics.test.ts tests/interop-vectors.test.ts tests/v2-bridge.test.ts tests/v2-full.test.ts tests/key-storage.test.ts tests/qntm-bridge.test.ts tests/agent-json-bridge.test.ts tests/did-resolution-conformance.test.ts tests/decision-equivalence.test.ts tests/data-lifecycle.test.ts tests/campaign7-composition.test.ts tests/entity-verification.test.ts tests/conformance.test.ts tests/governance-block.test.ts tests/aps-txt.test.ts tests/governance-360.test.ts tests/storage-backend.test.ts tests/receipt-bundle.test.ts tests/reputation-confidence.test.ts tests/governance-consumer.test.ts tests/charter.test.ts tests/institutional-governance-phase2.test.ts tests/data-source-attribution.test.ts tests/canonical-jcs.test.ts tests/temporal-spread.test.ts tests/fidelity-pressure.test.ts tests/denial-domains.test.ts tests/data-narrowing.test.ts tests/governance-posture.test.ts tests/anchor-state.test.ts tests/issuer-signature.test.ts tests/openshell-adapter.test.ts tests/attestation.test.ts tests/execution-attestation.test.ts tests/bilateral-receipt.test.ts tests/proof-namespace.test.ts tests/ecosystem-features.test.ts tests/persistent-passport.test.ts tests/security-av.test.ts tests/audit-fixes.test.ts tests/did-interop.test.ts tests/identity-bridge.test.ts tests/vc-wrapper.test.ts tests/identity-pipeline.test.ts tests/cross-protocol/sint-crossverify.test.ts tests/action-ref.test.ts tests/external-action-ref.test.ts tests/freshness.test.ts tests/evidence-grade.test.ts tests/key-rotation.test.ts tests/governance-regression.test.ts tests/posture-overlay.test.ts tests/feasibility-gateway.test.ts tests/trust-adapters.test.ts tests/evaluation-context.test.ts tests/health.test.ts tests/composio-adapter.test.ts tests/interop/ietf-envelope.test.ts tests/interop/signet-combined.test.ts tests/interop/moltrust-attestation.test.ts tests/interop/cross-protocol-vectors.test.ts tests/interop/receipt-chaining.test.ts tests/ibac-adapter.test.ts tests/langchain-adapter.test.ts tests/crewai-adapter.test.ts tests/mcp-adapter.test.ts tests/a2a-adapter.test.ts tests/gonka-adapter.test.ts tests/cross-algo-mismatch.test.ts tests/credential-lifecycle.test.ts tests/behavioral-memory.test.ts tests/telemetry-scope.test.ts tests/idempotency.test.ts tests/v2/wallet-binding.test.ts tests/v2/wallet-binding-fixture.test.ts tests/v2/credential-check-policy.test.ts tests/v2/delegation-escalation.test.ts tests/v2/attribution-consent.test.ts tests/v2/attribution-integration.test.ts tests/v2/attribution-primitive.test.ts tests/v2/attribution-primitive-integration.test.ts tests/v2/build-b-fractional-weights.test.ts tests/v2/build-b-cross-language.test.ts tests/v2/build-c-settlement.test.ts tests/v2/build-c-cross-language.test.ts tests/v2/build-c-end-to-end.test.ts tests/v2/provisional-statement.test.ts tests/temporal-decay.test.ts tests/confidence-breakdown.test.ts tests/behavioral-fingerprint.test.ts tests/session-boundary.test.ts tests/probe-identity.test.ts tests/v2/cognitive-attestation/envelope.test.ts tests/v2/cognitive-attestation/verify.test.ts tests/v2/cognitive-attestation/adversarial.test.ts tests/v2/mutual-auth/handshake.test.ts tests/v2/mutual-auth/adversarial.test.ts tests/v2/mutual-auth/conformance.test.ts tests/property-bilateral-receipt.test.ts tests/v2/instruction-provenance/conformance.test.ts tests/v2/instruction-provenance/adversarial.test.ts tests/v2/identity-composition-error.test.ts tests/v2/claim-evidence-types.test.ts tests/v2/claim-verifier.test.ts tests/v2/downstream-taint.test.ts tests/v2/payment-rails/nano.test.ts tests/v2/payment-rails/governance.test.ts tests/v2/payment-rails/ap2.test.ts tests/v2/payment-rails/x402.test.ts tests/v2/payment-rails/conformance/harness.test.ts tests/v2/payment-rails/binding-harness.test.ts tests/v2/payment-rails/stripe-issuing-primitives.test.ts tests/v2/payment-rails/acp.test.ts tests/v2/payment-rails/cycles.test.ts tests/v2/payment-rails/mpp.test.ts tests/v2/payment-rails/scope-resolution.test.ts tests/v2/payment-rails/accountability-bundle.test.ts tests/v2/payment-rails/did-uri-signing.test.ts tests/v2/payment-rails/cross-receipt-chain.test.ts src/v2/accountability/__tests__/action.test.ts src/v2/accountability/__tests__/authority-boundary.test.ts src/v2/accountability/__tests__/bundle.test.ts src/v2/accountability/__tests__/contestability.test.ts src/v2/accountability/__tests__/custody.test.ts src/v2/accountability/__tests__/fixtures.test.ts src/v2/cognitive_attestation/__tests__/cognitive_attestation.test.ts src/v2/delegation/__tests__/responsibility_anchor.test.ts src/v2/memory_provenance/__tests__/memory_provenance.test.ts src/v2/cross_issuer_attestation/__tests__/cross_issuer_attestation.test.ts src/v2/behavioral_drift_window/__tests__/behavioral_drift_window.test.ts tests/tool-registry-integrity.test.ts tests/v2/transport/rfc9421/request-binding.test.ts tests/v2/verifier-hardening.test.ts tests/v2/key-resolution/resolver.test.ts src/v2/feasibility/__tests__/feasibility.test.ts tests/oauth-rfc8693-bridge.test.ts tests/conformance/conformance-negatives.test.ts tests/v2/policy-bundle/policy-bundle.test.ts src/v2/scope-registry/__tests__/scope-registry.test.ts tests/check-many-parity.test.ts tests/cross-impl/jcs-equivalence.test.ts tests/remote-signer.test.ts tests/v2/assurance/descriptor.test.ts tests/v2/audience-binding/audience-binding.test.ts tests/v2/hash-pointer/bbs-composition.test.ts tests/v2/hash-pointer/profile.test.ts tests/v2/human-oversight/human-oversight.test.ts tests/v2/offline-verifier/conformance-runner.test.ts tests/v2/offline-verifier/middleware.test.ts tests/v2/offline-verifier/verify.test.ts tests/v2/payment-rails/cycles-evidence-resolution.test.ts tests/v2/revocation-enforcement.test.ts tests/v2/trust-policy/trust-policy.test.ts src/v2/context-provenance/__tests__/roundtrip.test.ts src/v2/context-provenance/__tests__/disclosure.test.ts src/v2/context-provenance/__tests__/known-answer.test.ts src/v2/context-provenance/__tests__/conformance.test.ts src/v2/context-provenance/__tests__/adversarial.test.ts src/v2/context-provenance/__tests__/parity.test.ts src/v2/context-provenance/__tests__/cross-lang-parity.test.ts tests/v2/verification-source.test.ts tests/v2/producer-attestation.test.ts tests/delegation-currency-narrowing.test.ts tests/delegation-temporal-narrowing.test.ts tests/oauth-id-jag-bridge.test.ts",
+    "test": "npx tsx --test tests/passport.test.ts tests/adversarial.ts tests/v2.0-integration.ts tests/contract.test.ts tests/agora.test.ts tests/values.test.ts tests/delegation.test.ts tests/attribution.test.ts tests/policy.test.ts tests/canonical.test.ts tests/coordination.test.ts tests/commerce.test.ts tests/enforcement.test.ts tests/routing.test.ts tests/did-vc.test.ts tests/a2a.test.ts tests/principal.test.ts tests/adversarial-paper.test.ts tests/property-delegation.test.ts tests/intent.test.ts tests/reputation-authority.test.ts tests/cross-chain.test.ts tests/encrypted-messaging.test.ts tests/obligations.test.ts tests/execution-envelope.test.ts tests/adversarial-causal-chain.test.ts tests/governance.test.ts tests/feasibility.test.ts tests/identity.test.ts tests/precedent.test.ts tests/reanchor.test.ts tests/escalation.test.ts tests/oracle-witness.test.ts tests/messaging-audit.test.ts tests/policy-conflict.test.ts tests/data-source.test.ts tests/decision-semantics.test.ts tests/interop-vectors.test.ts tests/v2-bridge.test.ts tests/v2-full.test.ts tests/key-storage.test.ts tests/qntm-bridge.test.ts tests/agent-json-bridge.test.ts tests/did-resolution-conformance.test.ts tests/decision-equivalence.test.ts tests/data-lifecycle.test.ts tests/campaign7-composition.test.ts tests/entity-verification.test.ts tests/conformance.test.ts tests/governance-block.test.ts tests/aps-txt.test.ts tests/governance-360.test.ts tests/storage-backend.test.ts tests/receipt-bundle.test.ts tests/reputation-confidence.test.ts tests/governance-consumer.test.ts tests/charter.test.ts tests/institutional-governance-phase2.test.ts tests/data-source-attribution.test.ts tests/canonical-jcs.test.ts tests/temporal-spread.test.ts tests/fidelity-pressure.test.ts tests/denial-domains.test.ts tests/data-narrowing.test.ts tests/governance-posture.test.ts tests/anchor-state.test.ts tests/issuer-signature.test.ts tests/openshell-adapter.test.ts tests/attestation.test.ts tests/execution-attestation.test.ts tests/bilateral-receipt.test.ts tests/proof-namespace.test.ts tests/ecosystem-features.test.ts tests/persistent-passport.test.ts tests/security-av.test.ts tests/audit-fixes.test.ts tests/did-interop.test.ts tests/identity-bridge.test.ts tests/vc-wrapper.test.ts tests/identity-pipeline.test.ts tests/cross-protocol/sint-crossverify.test.ts tests/action-ref.test.ts tests/external-action-ref.test.ts tests/freshness.test.ts tests/evidence-grade.test.ts tests/key-rotation.test.ts tests/governance-regression.test.ts tests/posture-overlay.test.ts tests/feasibility-gateway.test.ts tests/trust-adapters.test.ts tests/evaluation-context.test.ts tests/health.test.ts tests/composio-adapter.test.ts tests/interop/ietf-envelope.test.ts tests/interop/signet-combined.test.ts tests/interop/moltrust-attestation.test.ts tests/interop/cross-protocol-vectors.test.ts tests/interop/receipt-chaining.test.ts tests/ibac-adapter.test.ts tests/langchain-adapter.test.ts tests/crewai-adapter.test.ts tests/mcp-adapter.test.ts tests/a2a-adapter.test.ts tests/gonka-adapter.test.ts tests/cross-algo-mismatch.test.ts tests/credential-lifecycle.test.ts tests/behavioral-memory.test.ts tests/telemetry-scope.test.ts tests/idempotency.test.ts tests/v2/wallet-binding.test.ts tests/v2/wallet-binding-fixture.test.ts tests/v2/credential-check-policy.test.ts tests/v2/delegation-escalation.test.ts tests/v2/attribution-consent.test.ts tests/v2/attribution-integration.test.ts tests/v2/attribution-primitive.test.ts tests/v2/attribution-primitive-integration.test.ts tests/v2/build-b-fractional-weights.test.ts tests/v2/build-b-cross-language.test.ts tests/v2/build-c-settlement.test.ts tests/v2/build-c-cross-language.test.ts tests/v2/build-c-end-to-end.test.ts tests/v2/provisional-statement.test.ts tests/temporal-decay.test.ts tests/confidence-breakdown.test.ts tests/behavioral-fingerprint.test.ts tests/session-boundary.test.ts tests/probe-identity.test.ts tests/v2/cognitive-attestation/envelope.test.ts tests/v2/cognitive-attestation/verify.test.ts tests/v2/cognitive-attestation/adversarial.test.ts tests/v2/mutual-auth/handshake.test.ts tests/v2/mutual-auth/adversarial.test.ts tests/v2/mutual-auth/conformance.test.ts tests/property-bilateral-receipt.test.ts tests/v2/instruction-provenance/conformance.test.ts tests/v2/instruction-provenance/adversarial.test.ts tests/v2/identity-composition-error.test.ts tests/v2/claim-evidence-types.test.ts tests/v2/claim-verifier.test.ts tests/v2/downstream-taint.test.ts tests/v2/payment-rails/nano.test.ts tests/v2/payment-rails/governance.test.ts tests/v2/payment-rails/ap2.test.ts tests/v2/payment-rails/x402.test.ts tests/v2/payment-rails/conformance/harness.test.ts tests/v2/payment-rails/binding-harness.test.ts tests/v2/payment-rails/stripe-issuing-primitives.test.ts tests/v2/payment-rails/acp.test.ts tests/v2/payment-rails/cycles.test.ts tests/v2/payment-rails/mpp.test.ts tests/v2/payment-rails/scope-resolution.test.ts tests/v2/payment-rails/accountability-bundle.test.ts tests/v2/payment-rails/did-uri-signing.test.ts tests/v2/payment-rails/cross-receipt-chain.test.ts src/v2/accountability/__tests__/action.test.ts src/v2/accountability/__tests__/authority-boundary.test.ts src/v2/accountability/__tests__/bundle.test.ts src/v2/accountability/__tests__/contestability.test.ts src/v2/accountability/__tests__/custody.test.ts src/v2/accountability/__tests__/fixtures.test.ts src/v2/cognitive_attestation/__tests__/cognitive_attestation.test.ts src/v2/delegation/__tests__/responsibility_anchor.test.ts src/v2/memory_provenance/__tests__/memory_provenance.test.ts src/v2/cross_issuer_attestation/__tests__/cross_issuer_attestation.test.ts src/v2/behavioral_drift_window/__tests__/behavioral_drift_window.test.ts tests/tool-registry-integrity.test.ts tests/v2/transport/rfc9421/request-binding.test.ts tests/v2/verifier-hardening.test.ts tests/v2/key-resolution/resolver.test.ts src/v2/feasibility/__tests__/feasibility.test.ts tests/oauth-rfc8693-bridge.test.ts tests/conformance/conformance-negatives.test.ts tests/v2/policy-bundle/policy-bundle.test.ts src/v2/scope-registry/__tests__/scope-registry.test.ts tests/check-many-parity.test.ts tests/cross-impl/jcs-equivalence.test.ts tests/remote-signer.test.ts tests/v2/assurance/descriptor.test.ts tests/v2/audience-binding/audience-binding.test.ts tests/v2/hash-pointer/bbs-composition.test.ts tests/v2/hash-pointer/profile.test.ts tests/v2/human-oversight/human-oversight.test.ts tests/v2/offline-verifier/conformance-runner.test.ts tests/v2/offline-verifier/middleware.test.ts tests/v2/offline-verifier/verify.test.ts tests/v2/payment-rails/cycles-evidence-resolution.test.ts tests/v2/payment-rails/cycles-evidence-authority.test.ts tests/v2/revocation-enforcement.test.ts tests/v2/trust-policy/trust-policy.test.ts src/v2/context-provenance/__tests__/roundtrip.test.ts src/v2/context-provenance/__tests__/disclosure.test.ts src/v2/context-provenance/__tests__/known-answer.test.ts src/v2/context-provenance/__tests__/conformance.test.ts src/v2/context-provenance/__tests__/adversarial.test.ts src/v2/context-provenance/__tests__/parity.test.ts src/v2/context-provenance/__tests__/cross-lang-parity.test.ts tests/v2/verification-source.test.ts tests/v2/producer-attestation.test.ts tests/delegation-currency-narrowing.test.ts tests/delegation-temporal-narrowing.test.ts tests/oauth-id-jag-bridge.test.ts tests/v2/regulated-action/conformance.test.ts",
     "test:interop": "npx tsx --test tests/interop/ietf-envelope.test.ts tests/interop/signet-combined.test.ts tests/interop/moltrust-attestation.test.ts tests/interop/cross-protocol-vectors.test.ts tests/interop/receipt-chaining.test.ts",
     "test:quick": "tsx --test tests/passport.test.ts",
     "test:fixtures": "tsx fixtures/bilateral-delegation/test-canonicalize.ts",